diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2013-09-25 23:03:08 +0200 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2013-09-25 23:03:08 +0200 |
commit | 210a437e105fbd92f1dd9c2c82f4a5efd80ca8fd (patch) | |
tree | cc8e853469bf8e2e26b08d086c11cd19132edcd4 | |
parent | 3308b443f9342cd597a9d7440d2315f0a65b1566 (diff) | |
parent | 54e03863691dcae73260f70108b3731b70773e7c (diff) | |
download | ffmpeg-210a437e105fbd92f1dd9c2c82f4a5efd80ca8fd.tar.gz |
Merge commit '54e03863691dcae73260f70108b3731b70773e7c' into release/0.10
* commit '54e03863691dcae73260f70108b3731b70773e7c':
vc1: check the source buffer in vc1_mc functions
bink: Bound check the quantization matrix.
xl: Make sure the width is valid
alsdec: Fix the clipping range
dsicinav: Bound-check the source buffer when needed
mov: Do not allow updating the time scale after it has been set
ac3dec: Don't consume more data than the actual input packet size
indeo: Reject impossible FRAMETYPE_NULL
Conflicts:
libavcodec/alsdec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r-- | libavcodec/ac3dec.c | 2 | ||||
-rw-r--r-- | libavcodec/alsdec.c | 18 | ||||
-rw-r--r-- | libavcodec/bink.c | 3 | ||||
-rw-r--r-- | libavcodec/dsicinav.c | 4 | ||||
-rw-r--r-- | libavcodec/ivi_common.c | 8 | ||||
-rw-r--r-- | libavcodec/vc1dec.c | 15 | ||||
-rw-r--r-- | libavcodec/xl.c | 5 | ||||
-rw-r--r-- | libavformat/mov.c | 5 |
8 files changed, 52 insertions, 8 deletions
diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 9384dc7fbf..c11df7f9d0 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1345,7 +1345,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, av_log(avctx, AV_LOG_ERROR, "unsupported frame type : " "skipping frame\n"); *got_frame_ptr = 0; - return s->frame_size; + return buf_size; } else { av_log(avctx, AV_LOG_ERROR, "invalid frame type\n"); } diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 643d25ee2f..d5a805cb63 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1159,6 +1159,12 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame, return 0; } +static inline int als_weighting(GetBitContext *gb, int k, int off) +{ + int idx = av_clip(decode_rice(gb, k) + off, + 0, FF_ARRAY_ELEMS(mcc_weightings) - 1); + return mcc_weightings[idx]; +} /** Read the channel data. */ @@ -1179,14 +1185,14 @@ static int read_channel_data(ALSDecContext *ctx, ALSChannelData *cd, int c) if (current->master_channel != c) { current->time_diff_flag = get_bits1(gb); - current->weighting[0] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)]; - current->weighting[1] = mcc_weightings[av_clip(decode_rice(gb, 2) + 14, 0, 31)]; - current->weighting[2] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)]; + current->weighting[0] = als_weighting(gb, 1, 16); + current->weighting[1] = als_weighting(gb, 2, 14); + current->weighting[2] = als_weighting(gb, 1, 16); if (current->time_diff_flag) { - current->weighting[3] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)]; - current->weighting[4] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)]; - current->weighting[5] = mcc_weightings[av_clip(decode_rice(gb, 1) + 16, 0, 31)]; + current->weighting[3] = als_weighting(gb, 1, 16); + current->weighting[4] = als_weighting(gb, 1, 16); + current->weighting[5] = als_weighting(gb, 1, 16); current->time_diff_sign = get_bits1(gb); current->time_diff_index = get_bits(gb, ctx->ltp_lag_length - 3) + 3; diff --git a/libavcodec/bink.c b/libavcodec/bink.c index 16e3fd67a9..71b7d5fdc2 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -679,6 +679,9 @@ static int read_dct_coeffs(GetBitContext *gb, int32_t block[64], const uint8_t * quant_idx = q; } + if (quant_idx >= 16) + return AVERROR_INVALIDDATA; + quant = quant_matrices[quant_idx]; block[0] = (block[0] * quant[0]) >> 11; diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c index 89de99d9a9..88187bb35f 100644 --- a/libavcodec/dsicinav.c +++ b/libavcodec/dsicinav.c @@ -188,11 +188,13 @@ static void cin_decode_rle(const unsigned char *src, int src_size, unsigned char while (src < src_end && dst < dst_end) { code = *src++; if (code & 0x80) { + if (src >= src_end) + break; len = code - 0x7F; memset(dst, *src++, FFMIN(len, dst_end - dst)); } else { len = code + 1; - memcpy(dst, src, FFMIN(len, dst_end - dst)); + memcpy(dst, src, FFMIN3(len, dst_end - dst, src_end - src)); src += len; } dst += len; diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 3bf9455411..ec730cec82 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -822,6 +822,14 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *data_size, } } } + } else { + if (ctx->is_scalable) + return AVERROR_INVALIDDATA; + + for (p = 0; p < 3; p++) { + if (!ctx->planes[p].bands[0].buf) + return AVERROR_INVALIDDATA; + } } //STOP_TIMER("decode_planes"); } diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 7577f82408..d2f099871d 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -395,6 +395,11 @@ static void vc1_mc_1mv(VC1Context *v, int dir) } } + if (!srcY || !srcU) { + av_log(v->s.avctx, AV_LOG_ERROR, "Referenced frame missing.\n"); + return; + } + src_x = s->mb_x * 16 + (mx >> 2); src_y = s->mb_y * 16 + (my >> 2); uvsrc_x = s->mb_x * 8 + (uvmx >> 2); @@ -570,6 +575,11 @@ static void vc1_mc_4mv_luma(VC1Context *v, int n, int dir) } else srcY = s->next_picture.f.data[0]; + if (!srcY) { + av_log(v->s.avctx, AV_LOG_ERROR, "Referenced frame missing.\n"); + return; + } + if (v->field_mode) { if (v->cur_field_type != v->ref_field_type[dir]) my = my - 2 + 4 * v->cur_field_type; @@ -856,6 +866,11 @@ static void vc1_mc_4mv_chroma(VC1Context *v, int dir) srcV = s->next_picture.f.data[2] + uvsrc_y * s->uvlinesize + uvsrc_x; } + if (!srcU) { + av_log(v->s.avctx, AV_LOG_ERROR, "Referenced frame missing.\n"); + return; + } + if (v->field_mode) { if (chroma_ref_type) { srcU += s->current_picture_ptr->f.linesize[1]; diff --git a/libavcodec/xl.c b/libavcodec/xl.c index 78f34afa4e..50bd5f4fbf 100644 --- a/libavcodec/xl.c +++ b/libavcodec/xl.c @@ -69,6 +69,11 @@ static int decode_frame(AVCodecContext *avctx, stride = avctx->width - 4; + if (avctx->width % 4) { + av_log(avctx, AV_LOG_ERROR, "Width not a multiple of 4.\n"); + return AVERROR_INVALIDDATA; + } + if (buf_size < avctx->width * avctx->height) { av_log(avctx, AV_LOG_ERROR, "Packet is too small\n"); return AVERROR_INVALIDDATA; diff --git a/libavformat/mov.c b/libavformat/mov.c index 65d8798276..7ac838cf09 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -754,6 +754,11 @@ static int mov_read_mdhd(MOVContext *c, AVIOContext *pb, MOVAtom atom) st = c->fc->streams[c->fc->nb_streams-1]; sc = st->priv_data; + if (sc->time_scale) { + av_log(c->fc, AV_LOG_ERROR, "Multiple mdhd?\n"); + return AVERROR_INVALIDDATA; + } + version = avio_r8(pb); if (version > 1) { av_log_ask_for_sample(c, "unsupported version %d\n", version); |